Description:
A buffer overflow vulnerability was reported in IBM's DB2 database. A local user can gain root access on the system.

IBM reported that there is a buffer overflow in the 'sqllib/security/db2ckpw' file that is used to verify usernames and passwords. A local user can supply a username that is longer than 8 characters to trigger the overflow and possibly cause arbitrary code to be executed. Because 'db2ckpw' is configured with set user id (suid) root privileges, the code will run with root level privileges.

Impact:
A local user can execute arbitrary code on the system with root privileges to gain root level access on the operating system.

Solution:
The vendor has released FixPaks:

For DB2, version 6, download and apply DB2 v6.1, FixPak 10 (use FixPak 10 version released after 6 March 2002).

Subject: IBM OAR [Other Advisories]: Buffer overflow vulnerability in
DB2
for AIX, Linux, Solaris, and HP-UX
IBM Global Services
Managed Security Services
Outside Advisory Redistribution
10 MAY 2002 14:46 GMT
MSS-OAR-E01-2002:318.1
===========================================================================
The MSS Outside Advisory Redistribution is designed to provide customers
of
IBM Managed Security Services with access to the security advisories
sent
out by other computer security incident response teams, vendors, and
other
groups concerned about security.
IBM makes no representations and assumes no responsibility for the
contents
or accuracy of the advisories themselves.
IBM MSS is forwarding the following information from IBM. Contact
information for IBM is included in the forwarded text below. Please
contact
them if you have any questions or need further information.
===========================================================================
----------- Forwarded Information Starts Here.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -----BEGIN PGP SIGNED MESSAGE-----
IBM SECURITY ADVISORY
Wed May 08 13:29:22 CDT 2002
=========================================================================
VULNERABILITY SUMMARY
VULNERABILITY: Buffer overflow vulnerability in DB2 for AIX, Linux,
Solaris, and HP-UX
PLATFORMS: DB2, versions 6 and 7, running on AIX, all versions
SOLUTION: Apply the FixPaks, listed in this Advisory
THREAT: Malicious user can gain root privileges
CERT Advisory: NONE
=========================================================================
DETAILED INFORMATION
I. Description
A security vulnerability was discovered in versions 6 and 7 of DB2 that
runs
on IBM AIX, Linux implementations, SUN Solaris, and HP's HP-UX.
Specifically, this is a buffer overflow condition in
sqllib/security/db2ckpw.
"db2ckpw" is an executable that runs as SUID (setuserid) root; DB2 uses
the
returns of this executable to verify usernames and passwords.
It takes a file descriptor as its argument and then reads username and
password information from that file descriptor. The buffer overflow
occurs
while processing the username. The db2 client is trusted to make sure
that
the username is 8 characters or less. By bypassing the db2 client
libraries
and sending info directly to db2ckpw, one can overflow the username
buffer
and execute arbitrary code as root.
II. Impact
Unauthorized privilege escalation (possibly to root) and execution of
arbitrary code.
III. Solutions
Workaround
There is no workaround.
Official fix
Customers are urged to immediately obtain the appropriate FixPak listed
below and apply it to their systems.
If you are running DB2, version 6, you need to download and apply DB2
v6.1,
FixPak 10 (use FixPak 10 version released after 6 March 2002).
If running DB2, version 7, download and apply DB2, v7.2, FixPak 6.
These FixPaks can be downloaded from:
DB2 v7:
http://www-4.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/download
.d2w/report#V7
DB2 v6:
http://www-4.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/download
.d2w/report#V6
IV. Contact Information
Comments regarding the content of this announcement can be directed to:
security-alert@austin.ibm.com
To request the PGP public key that can be used to encrypt new AIX
security
vulnerabilities, send email to:
security-alert@austin.ibm.com
with a subject of "get key".
If you would like to subscribe to the AIX security newsletter, send a
note
to aixserv@austin.ibm.com with a subject of "subscribe Security".
To cancel your subscription, use a subject of "unsubscribe Security". To
see
a list of other available subscriptions, use a subject of "help".
IBM and AIX are a registered trademark of International Business
Machines
Corporation. All other trademarks are property of their respective
holders.
- -----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQCVAwUBPNsAqgsPbaL1YgqvAQFXjwQAkj9XoEs71wyC1yB7jvp6LYxsqoC1P7/r
haaoTPyN7DAfP1e5UX34YOjMBsaMrMehhn+9XWbhqeuR1aWgGI4L+vFZvxyXgD43
016/am3IJduCpzm7zu/UZhzZl8A0LM9vR+6hMJYAULFOc151jJoMVyhxJduIOkIj
J8xXL5g1CH8=
=7hsh
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQA/AwUBPNvPKMXrSKQHhgFwEQJrJgCglVwAtn2OZKT6BRWaO88w3G8PfqsAnRu8
tvCZpUdNyUOITXbFjjrF2buO
=+6H3
-----END PGP SIGNATURE-----
----------- Forwarded Information Ends Here.
===========================================================================
IBM's Managed Security Services (MSS) is a subscription-based Internet
security response service that includes computer security incident
response
and management, regular electronic verification of your Internet
gateway(s),
and security vulnerability alerts similar to this one that are tailored
to
your specific computing environment. By acting as an extension of your
own
internal security staff, IBM MSS's team of Internet security experts
helps
you quickly detect and respond to attacks and exposures across your
Internet
connection(s).
As a part of IBM's Business Continuity and Recovery Service IBM's
Managed
Security Services is a component of IBM Global Services Privacy and
Security
Services suite of offerings. To find out more about IBM Managed
Security
Services, send an electronic mail message to ers-sales@ers.ibm.com, or
call
1-800-426-7378.
IBM MSS maintains a site on the World Wide Web at
http://www-1.ibm.com/services/continuity/recover1.nsf/ers/mss+home
Visit the site for information about the service, copies of security
alerts,
team contact information, and other items.
IBM MSS uses Pretty Good Privacy* (PGP*) as the digital signature
mechanism
for security vulnerability alerts and other distributed information.
The
IBM MSS PGP* public key is available from
http://www-1.ibm.com/services/continuity/recover1.nsf/mss/PGP
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann.
IBM MSS is a Member Team of the Forum of Incident Response and Security
Teams (FIRST), a global organization established to foster cooperation
and
response coordination among computer security teams worldwide.
The information in this document is provided as a service to customers
of
IBM Managed Security Services. Neither International Business Machines
Corporation, nor any of its employees, makes any warranty, express or
implied, or assumes any legal liability or responsibility for the
accuracy,
completeness, or usefulness of any information, apparatus, product, or
process contained herein, or represents that its use would not infringe
any
privately owned rights. Reference herein to any specific commercial
products, process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by IBM or its subsidiaries. The views and
opinions of authors expressed herein do not necessarily state or reflect
those of IBM or its subsidiaries, and may not be used for advertising or
product endorsement purposes.
===========================================================================